[midPoint] UserTemplate - Role Assignment based on Org Assignment Property

Ivan Noris Ivan.Noris at evolveum.com
Sat Nov 19 12:52:24 CET 2016 

Hi Martin, 

that's a surprise for me, because I'm not using master but 3.4-based branch... and the main logic is similar to what I'm using, even in older versions... 

It just didn't work or there were some errors displayed/logged? Maybe the developers would know according to that behaviour. 

Regards, 
Ivan 

----- Original Message -----

> From: "Martin Marchese" <mmarchese at identicum.com>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Friday, November 18, 2016 11:20:18 PM
> Subject: Re: [midPoint] UserTemplate - Role Assignment based on Org
> Assignment Property

> Thanks Ivan that worked like charm! And it's a very nice solution!

> However, just to let you know, it worked only on MidPoint 3.5 snapshot, we
> tested that in 3.4.1 with no luck.

> Regards

> Ing. Martín Marchese
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com
> www.identicum.com

> On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris < ivan.noris at evolveum.com >
> wrote:

> > Hi,
> 

> > there might be a way how to do this in object template, but it could be
> > complicated.
> 

> > I would probably try metarole instead:
> 

> > 1. all organizations should have a metarole assigned (not induced)
> 

> > 2. roles STUDENT and TEACHER will be defined by you to do whatever needed
> > for
> > users
> 

> > 3. the metarole would have two order=2 inducements for users which have the
> > organization assigned. One of the inducement would induce the STUDENT role
> > if the assignment parameter metaRelation for "this" organization is
> > STUDENT.
> > The other would assign the TEACHER role if the assignment parameter for
> > "this" organization is TEACHER. The inducements would be indirect, i.e. you
> > would not see the STUDENT/TEACHER role assigned in user's Assignments tab
> > (this may or may not be a problem for you) .
> 

> > Technically it would mean that one person with 20 organizations assigned as
> > TEACHER would end with 20 assignments of the same role TEACHER, but I
> > believe that midPoint will "normalize" this and only one role TEACHER would
> > be assigned in real.
> 

> > The metarole should look similar to this (untested):
> 

> > <role ...>
> 

> > <name>Teacher/Student Org Metarole</name>
> 

> > <inducement>
> 
> > <targetRef oid="00000000-dc00-dc00-0004-000000000078"
> > type="c:RoleType"><!--
> > STUDENT --></targetRef>
> 

> > <condition>
> 
> > <source>
> 
> > <path>$focusAssignment/xyz:metaRelation</path><!-- xyz is your namespace
> > -->
> 
> > </source>
> 
> > <expression>
> 
> > <script>
> 
> > <code>metaRelation == 'STUDENT'</code>
> 
> > </script>
> 
> > </expression>
> 
> > </condition>
> 

> > <focusType>c:UserType</focusType><!-- to apply only to users even if
> > organization is assigned to another organization -->
> 

> > <order>2</order><!-- to apply to users which have the organization assigned
> > -->
> 

> > </inducement>
> 

> > <inducement>
> 
> > <targetRef oid="00000000-dc00-dc00-0004-000000000111"
> > type="c:RoleType"><!--
> > TEACHER --></targetRef>
> 

> > <condition>
> 
> > <source>
> 
> > <path>$focusAssignment/xyz:metaRelation</path><!-- xyz your namespace -->
> 
> > </source>
> 
> > <expression>
> 
> > <script>
> 
> > <code>metaRelation == 'TEACHER'</code>
> 
> > </script>
> 
> > </expression>
> 
> > </condition>
> 

> > <focusType>c:UserType</focusType>
> 

> > <order>2</order>
> 

> > </inducement>
> 
> > </role>
> 

> > I hope I'm correct. I have done similar stuff, but not this specific one.
> 

> > Regards,
> 

> > Ivan
> 
> > On 11/18/2016 06:44 PM, Martin Marchese wrote:
> 

> > > Hi Ivan thanks for your answer,
> > 
> 

> > > Yes that's correct, they should be assigned without any parameters based
> > > on
> > > the org assignment types.
> > 
> 

> > > Regards
> > 
> 

> > > Ing. Martín Marchese
> > 
> 
> > > Identicum S.A.
> > 
> 
> > > Jorge Newbery 3226
> > 
> 
> > > Tel: +54 (11) 4552-3050
> > 
> 
> > > mmarchese at identicum.com
> > 
> 
> > > www.identicum.com
> > 
> 

> > > On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris < ivan.noris at evolveum.com >
> > > wrote:
> > 
> 

> > > > Hi Martin,
> > > 
> > 
> 

> > > > the STUDENT and TEACHER roles are "static" in means of assignment
> > > > parameters?
> > > > They are (should be) just assigned without any parameters whenever used
> > > > has
> > > > any org with STUDENT-type assignment or any role with TEACHER-type
> > > > assignment?
> > > 
> > 
> 

> > > > Ivan
> > > 
> > 
> 

> > > > On 11/16/2016 08:37 PM, Martin Marchese wrote:
> > > 
> > 
> 

> > > > > Hi All,
> > > > 
> > > 
> > 
> 

> > > > > We had our AssignmentType extended with a "metaRelation" extension
> > > > > property.
> > > > 
> > > 
> > 
> 

> > > > > Users are assigned to an OrgType
> > > > 
> > > 
> > 
> 

> > > > > Our OrgType represent schools and within this "metaRelation"
> > > > > property,
> > > > > we
> > > > > store wether the assigned user is a STUDENT or a TEACHER.
> > > > 
> > > 
> > 
> 

> > > > > Besides, we have 2 Roles (STUDENT and TEACHER roles).
> > > > 
> > > 
> > 
> 

> > > > > We would like to use our user template to assign the corresponding
> > > > > role
> > > > > to
> > > > > the user based on shich "metaRelation" it has within the Org.
> > > > 
> > > 
> > 
> 

> > > > > Users could be STUDENT and/or TEACHER on more than one Org, so while
> > > > > the
> > > > > user
> > > > > has at least one of this assignments, it needs to have the
> > > > > corresponding
> > > > > role assigned.
> > > > 
> > > 
> > 
> 

> > > > > We are thinking if there's a way to query the user Org assignments
> > > > > within
> > > > > the
> > > > > template and use it as source for the target role assignment.
> > > > 
> > > 
> > 
> 

> > > > > Is this the best/correct way to do it? Do you recommend any other
> > > > > way?
> > > > 
> > > 
> > 
> 

> > > > > Thanks in Advance
> > > > 
> > > 
> > 
> 
> > > > > Regards,
> > > > 
> > > 
> > 
> 

> > > > > Ing. Martín Marchese
> > > > 
> > > 
> > 
> 
> > > > > Identicum S.A.
> > > > 
> > > 
> > 
> 
> > > > > Jorge Newbery 3226
> > > > 
> > > 
> > 
> 
> > > > > Tel: +54 (11) 4552-3050
> > > > 
> > > 
> > 
> 
> > > > > mmarchese at identicum.com
> > > > 
> > > 
> > 
> 
> > > > > www.identicum.com
> > > > 
> > > 
> > 
> 

> > > > > _______________________________________________
> > > > 
> > > 
> > 
> 
> > > > > midPoint mailing list midPoint at lists.evolveum.com
> > > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > > 
> > > 
> > 
> 

> > > > --
> > > 
> > 
> 
> > > > Ivan Noris
> > > 
> > 
> 
> > > > Senior Identity Engineer evolveum.com
> > > 
> > 
> 
> > > > _______________________________________________ midPoint mailing list
> > > > midPoint at lists.evolveum.com
> > > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > > 
> > 
> 

> > > _______________________________________________
> > 
> 
> > > midPoint mailing list midPoint at lists.evolveum.com
> > > http://lists.evolveum.com/mailman/listinfo/midpoint
> > 
> 

> > --
> 
> > Ivan Noris
> 
> > Senior Identity Engineer evolveum.com
> 

> > _______________________________________________
> 
> > midPoint mailing list
> 
> > midPoint at lists.evolveum.com
> 
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> 

> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris 
Senior Identity Engineer 
evolveum.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161119/d8c66dd4/attachment.htm>

More information about the midPoint mailing list